Keywords: Vaccination passport, interoperability, Digital Green Certificate, fundamental rights. In order to limit the spread of the COVID-19 pandemic, EU Member States have adopted various measures, some of which impact on Union citizens’ right to move freely within their territory, such as restrictions on entry or requirements for cross-border travelers to undergo quarantine and are planning to launch initiatives to issue vaccination certificates[1]. Indeed many see the ‘passport’ as a necessary tool: o The airline industry has said they want to be able to verify the certificates before people can travel. o Employers may require it – particularly if your job involves working in confined spaces or with the public. o Governments may require it to access some services (healthcare or schools), places (public events and sporting events), and at checkpoints and borders[2]. One of the biggest issues is represented by interoperability and the European Council has repeatedly called for a coordinated approach and the mutual recognition of test results[3]. So the European Commission has been working with the Member States in the ‘eHealth Network’[4], on preparing the interoperability of vaccination certificates: guidelines were adopted on 27 January and updated on 12 March, and the trust framework outline was agreed on 12 March 2021[5]. In mid-March the Commission adopted a first legislative proposal establishing a common framework for a Digital Green Certificate[6] (“the Proposal”), then a complementary proposal to ensure that the DGC is also issued to non-EU nationals who reside in Member States or Schengen Associated States and to visitors who have the right to travel to other Member States (“the Second Proposal”), because there must be no difference in treatment of citizens and eligible non-EU citizens for the purpose of the certificates. To facilitate safe free movement inside the EU, the Digital Green Certificate will be a proof that a person either
It will be available, free of charge, in digital or paper format, including anyway a QR code to ensure security and authenticity of the certificate. “The Commission will build a gateway to ensure all certificates can be verified across the EU, and support Member States in the technical implementation of certificates; they remain responsible to decide which public health restrictions can be waived for travelers but will have to apply such waivers in the same way to travelers holding a Digital Green Certificate”[7]. On 17 March 2021, the Commission requested a Joint Opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS)[8] on the basis of Article 42(2) of Regulation (EU) 2018/1725 (“EUDPR”)[9] on the Proposal and the Second Proposal (jointly “the Proposals”). Finally, EDPB and EDPS adopted the joint opinion, as required. The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates[10]. With this Joint Opinion, EDPB and EDPS “invite the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation. The data protection commissioners from all EU and European Economic Area countries highlight the need to mitigate the risks to fundamental rights of EU citizens and residents that may result from issuing the Digital Green Certificate, including its possible unintended secondary uses”[11]. EDPB and EDPS “underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals[12], and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness”[13]. Given the nature of the measures put forward by the Proposal, i.e. Ø “The Digital Green Certificate will cover three types of certificates –vaccination certificates, test certificates (NAAT/RT-PCR test or a rapid antigen test), and certificates for persons who have recovered fromCOVID-19. Ø The certificates will be issued in a digital form or on paper. Both will have a QR code that contains necessary key information as well as a digital signature to make sure the certificate is authentic. Ø The Commission will build a gateway and support Member States to develop software that authorities can use to verify all certificate signatures across the EU. No personal data of the certificate holders passes through the gateway, or is retained by the verifying Member State. Ø The certificates will be available free of charge and in the official language or languages of the issuing Member State and English”[14], “the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework”[15]. Indeed, “key elements of the regulation proposed by the Commission today” include too: Ø “The certificates will include a limited set of information such as name, date of birth, date of issuance, relevant information about vaccine/test/recovery and a unique identifier of the certificate. This data can be checked only to confirm and verify the authenticity and validity of certificates. Ø The Digital Green Certificate will be valid in all EU Member States and open for Iceland, Liechtenstein, Norway as well as Switzerland. The Digital Green Certificate should be issued to EU citizens and their family members, regardless of their nationality. It should also be issued to non-EU nationals who reside in the EU and to visitors who have the right to travel to other Member States. Ø The Digital Green Certificate system is a temporary measure. It will be suspended once the World Health Organization (WHO) declares the end of the COVID-19 international health emergency”[16]. Actually, in the current emergency situation, some ‘caveat’ are crucial: “there seems to be little scientific evidence as to whether having received the COVID-19 vaccine (or having recovered from COVID-19) grants immunity, and, by extension, how long such immunity may last. But scientific evidence is growing daily.
Going into the path necessary to ensure full compliance with the GDPR, two fundamental points emerge: 1) Data protection: In practice, ü only the bare minimum set of data that is required for the supported use cases should be processed (data minimisation) and ü the purpose of data collection should be checked against the use cases (purpose limitation). ü Similarly, only the bare minimum set of data that is required for the supported use cases should be presented to a specific verifier (data minimisation) and ü the purpose of data presentation should be checked against the use cases (purpose limitation)”[18]. 2) Data security and privacy by design and by default: “abuse of data by actors (especially, the certificate verifiers and holders) and forgery should be prevented by any reasonable means. ü Available tools should be used for restricting access to data and preventing malicious use of data, while the establishing of the authenticity of data and its link to the certificate holder should be ensured. ü The design should prevent the collection of identifiers or other similar data which might be cross-referenced with other data and re-used for tracking (‘Unlinkability’)”[19]. Going ahead, the ‘Joint Opinion’ includes specific recommendations for further clarifications”[20]: 3) Adoption of adequate technical and organisational privacy and security measures in the context of the Proposal: “the Proposal should state that the controllers and processors shall take adequate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, in line with Article 32 GDPR. These measures should consider for example the establishment of processes for a regular testing, assessment and evaluation of the effectiveness of the privacy and security measures adopted”[21]. 4) Identification of controllers and processors: “Due to the relevance of the Digital Green Certificate in the context of the exercise of the right of free movement, and taking into account the possible use of the certificate when travelling through various Member States, the EDPB and the EDPS recommend that the Proposal specifies that a list of all the entities foreseen to be acting as controllers, processors and recipients of the data in that Member State (other than the authorities responsible for issuing the certificates which listed in Article 9(4) of the Proposal) shall be made public. This will allow the EU citizens making use of the Digital Green Certificate to know the identity of the entity to whom they may turn to for the exercise of their data protection rights under the GDPR, including in particular the right to receive transparent information on the ways in which data subject’s rights may be exercised with respect to the processing of personal data”[22]. 5) Transparency and data subject’s rights: “The EDPB and the EDPS welcome Article 3(2) of the Proposal, which clarifies that “[t]he information contained in the certificates shall also be shown in human-readable form”. Due to the sensitivity of the data involved, the EDPB and the EDPS recommend the Commission to ensure that the transparency of the processes are clearly outlined for the citizens to be able to exercise their data protection rights”[23]. 6) Data storage: “The EDPB and the EDPS welcome Recital 40 of the Proposal stating that “[t]his Regulation does not create a legal basis for retaining personal data obtained from the certificate by the Member State of destination or by the cross-border passenger transport services operators required by national law to implement certain public health measures during the COVID-19 pandemic.” and Article 9(3) of the Proposal explicitly stating that “the personal data processed for the purpose of issuing the certificates referred to in Article 3, including the issuance of a new certificate, shall not be retained longer than is necessary for its purpose and in no case longer than the period for which the certificates may be used to exercise the right to free movement”, as these are both in line with the principle of data storage limitation of the GDPR”[24]. 7) International Data Transfers: as “international transfers could imply an additional risk for the processing of personal data, as third countries could give a secondary use to the data exchanged within the Digital Green Certificate framework. Therefore, the EDPB and the EDPS recommend to explicitly clarify whether and when any international transfers of personal data are expected and include safeguards in the legislation to ensure that third countries will only process the personal data exchanged for the purposes specified by the Proposal”[25]. To conclude for now, I would like to underline some remarks made by the European Data Protection Supervisor in his ‘Presentation to LIBE Committee’[26] [27]: Ø “I have long considered immunity passports as being highly problematic due to the lack of scientific evidence and high risks of stigmatisation, discrimination and exclusion. We strongly believe that the introduction of ‘immunity passports’ could also create a direct incentive to self-infection, thus being harmful while also putting at risk vulnerable groups. Ø The notion of ‘immunity’ was not used in this proposal and we agree that vaccination certificates are different by nature, as they simply attest whether an individual has been vaccinated. Vaccination passports have existed for a very long time and used for entirely legitimate purposes. However, we should think carefully about when and how vaccination certifications shall be used in the context of the current health crisis. Ø Overall, the Joint Opinion acknowledges the need to enhance the right to free movement within the EU Member States, and positively assesses the efforts of the Commission to propose the framework that respects privacy and data protection. Ø At the same time, the Joint Opinion adequately reflects the doubts and concerns about the respect for the fundamental rights of citizens when the system, which has been created to allow free movement of people inside the Union, would be used for other purposes. Ø We call for the respect of the principles of necessity, proportionality and effectiveness wherever and however the certificates are used”[28]. Substantially, any kind of discrimination[29]should never be allowed through vaccination certificates. And “this is not only exclusionary for communities that do not have access – endangering the health of some of the most vulnerable – it also goes against the broader public health benefits of vaccination: leaving large populations unvaccinated will mean that the virus remains a public health threat”[30]. But first of all “governments must ensure they base their decision, which could have resounding societal implications, on reliable scientific evidence supporting the epidemiological utility”[31]of vaccine certificates.
Source: EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate).
[1] “The assumption underlying the use of COVID-19 vaccine certificates is that vaccination not only protects individuals from disease, but also reduces their risk of becoming infected and spreading the virus. Under this assumption, vaccinated individuals could resume activities that entail social interactions and international travel without substantially contributing to onward transmission of SARS-CoV-2 within their community or abroad. On this basis, the USA and Israel have changed their behavioural recommendations for vaccinated individuals”, as we can read in The Lancet Microbe, Vaccine certificates: does the end justify the means?, The Lancet Microbe, Volume 2, Issue 4, 2021, Page e130, ISSN 2666-5247, https://www.sciencedirect.com/science/article/pii/S2666524721000677. [2] Cf. Privacy International, “Anytime and anywhere”: Vaccination, immunity certificates, and the permanent pandemic, European Digital Rights (EDRi), March 10, 2021 in https://edri.org/our-work/anytime-anywhere-vaccination-immunity-certificates-pandemic/. [3] See https://www.consilium.europa.eu/media/47296/1011-12-20-euco-conclusions-en.pdf. [4] It is a voluntary network created under article 14 of Directive 2011/24/EU on the application of patients' rights in cross-border healthcare. It provides a platform for Member States' competent authorities responsible for eHealth. [5] See eHealth Network, Interoperability of health certificates Trust framework V.1.0, 2021-03-12 in https://ec.europa.eu/health/sites/health/files/ehealth/docs/trust-framework_interoperability_certificates_en.pdf. The trust framework defines the rules, policies, protocols, formats and standards needed to ensure that Covid-19 health certificates are issued in such a way that their authenticity and integrity can be verified and trusted. This document outlines the trust framework and provides the basis for discussion with Member States on the implementation of interoperable certificates in EU Member States. Further elaboration on the specifications of the technical implementation will follow. The document may be subject to future modification as the COVID-19 situation evolves. [6] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate) COM/2021/130 final, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0130. [7] Cf. EU Commission, Coronavirus: Commission proposes a Digital Green Certificate, Press Release, 17 March 2021, Brussels in https://ec.europa.eu/commission/presscorner/detail/en/ip_21_118. [8] Cf. EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), 31 March 2021, in https://edps.europa.eu/system/files/2021-04/21-03-31_edpb_edps_joint_opinion_digital_green_certificate_ en_0.pdf, pag. 4. [9] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39” (ibidem, pag.4). [10] Cf. EDPS, EU data protection authorities adopt joint opinion on the Digital Green Certificate Proposals, Press Release, 6 Apr 2021 in https://edps.europa.eu/press-publications/press-news/press-releases/2021/eu-data-protection-authorities-adopt-joint_en. [11] Ibidem. [12] Cf. “Key elements of the regulation proposed by the Commission today: .. Non-discrimination: Ø All people – vaccinated and non-vaccinated –should benefit from a Digital Green Certificate when travelling in the EU. To prevent discrimination against individuals who are not vaccinated, the Commission proposes to create not only an interoperable vaccination certificate, but also COVID-19 test certificates and certificates for persons who have recovered from COVID-19. Ø Same right for travellers with the Digital Green Certificate –where Member States accept proof of vaccination to waive certain public health restrictions such as testing or quarantine, they would be required to accept, under the same conditions, vaccination certificates issued under the Digital Green Certificate system. This obligation would be limited to vaccines that have received EU-wide marketing authorization, but Member States can decide to accept other vaccines in addition. Ø Notification of other measures – if a Member State continues to require holders of a Digital Green Certificate to quarantine or test, it must notify the Commission and all other Member States and explain the reasons for such measures”, as reported in EU Commission, Coronavirus: Commission proposes a Digital Green Certificate, Press Release Press Release, 17 March 2021, Brussels in https://ec.europa.eu/commission/presscorner/detail/en/ip_21_118, cit.. [13] Cf. also “the EDPB and the EDPS highlight that it is essential that the Proposal is consistent and does not conflict in any manner with the application of the General Data Protection Regulation (“GDPR”). This is not only for the sake of legal certainty, but also to avoid that the Proposal has the effect of directly or indirectly jeopardizing the fundamental right to the protection of personal data, as established under Article 16 TEFU and Article 8 of the Charter of fundamental rights of the European Union” in “EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), 31 March 2021”, in https://edps.europa.eu/system/files/2021-04/21-03-31_edpb_edps_joint_opinion_digital_green_certificate_en_0.pdf, cit., pag.4. [14] As we can read in EU Commission, Coronavirus: Commission proposes a Digital Green Certificate, Press Release 17 March 2021, Brussels in https://ec.europa.eu/commission/presscorner/detail/en/ip_21_118, cit.. [15] Cf. EDPS, EU data protection authorities adopt joint opinion on the Digital Green Certificate Proposals, Press Release, 6 Apr 2021 in https://edps.europa.eu/press-publications/press-news/press-releases/2021/eu-data-protection-authorities-adopt-joint_en, cit.. [16] Cf. EU Commission, Coronavirus: Commission proposes a Digital Green Certificate, Press Release 17 March 2021, Brussels in https://ec.europa.eu/commission/presscorner/detail/en/ip_21_118, cit.. [17] As we can read in EDPS, EU data protection authorities adopt joint opinion on the Digital Green Certificate proposals, Press Release, 6 Apr 2021 in https://edps.europa.eu/press-publications/press-news/press-releases/2021/eu-data-protection-authorities-adopt-joint_en, cit.. [18] Cf. eHealth Network, Interoperability of health certificates Trust framework V.1.0, 2021-03-12 in https://ec.europa.eu/health/sites/health/files/ehealth/docs/trust-framework_interoperability_certificates_en.pdf, cit., pag..5. [19] Ibidem. [20] Provided in EDPS, EU data protection authorities adopt joint opinion on the Digital Green Certificate proposals, Press Release, 6 Apr 2021 in https://edps.europa.eu/press-publications/press-news/press-releases/2021/eu-data-protection-authorities-adopt-joint_en, cit.. [21] Cf. EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate), 31 March 2021, in https://edps.europa.eu/system/files/2021-04/21-03-31_edpb_edps_joint_opinion_digital_green_certificate_ en_0.pdf,cit., pag. 11. [22] Ibidem, pag.12. [23] Ibidem, pag. 12-13. [24] Ibidem, pag. 13. [25] Ibidem, pag.13. [26] The Committee on Civil Liberties, Justice and Home Affairs (LIBE) is a committee of the European Parliament that is responsible for protecting civil liberties and human rights, including those of minorities, as listed in the Charter of Fundamental Rights of the European Union. [27] Cf. Presentation by Wojciech Wiewiórowski of the EDPB- EDPS Joint Opinion on the Digital Green Certificate Proposals to the Committee on Civil Liberties, Justice and Home Affairs (LIBE), in https://edps.europa.eu/data-protection/our-work/publications/speeches-articles/presentation-edpb-edps-joint-opinion_en. [28] Ibidem. [29] See for example “broad application of mandated vaccine certification for discretionary travel — or to access restaurants, sporting events, gyms, concerts and other leisure facilities — sharpens each of our concerns about increasing inequity” in Françoise Baylis & Natalie Kofler, Vaccination certificates could entrench inequality, Nature, 19 March 2021 in https://doi.org/10.1038/d41586-021-00757-x. [30] Cf. Privacy International, “Anytime and anywhere”: Vaccination, immunity certificates, and the permanent pandemic, European Digital Rights (EDRi), March 10, 2021 in https://edri.org/our-work/anytime-anywhere-vaccination-immunity-certificates-pandemic/, cit.. [31] Cf. The Lancet Microbe, Vaccine certificates: does the end justify the means?, The Lancet Microbe, Volume 2, Issue 4, 2021, Page e130, ISSN 2666-5247, https://www.sciencedirect.com/science/article/pii/S2666524721000677, cit.. To read the PDF click here. |